Project

General

Profile

Actions
Copy link

Bug #13101

closed

OpenVPN certificate validation fails

Added by Massimo Vannucci about 3 years ago. Updated about 3 years ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
OpenVPN
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.6.0
Affected Architecture:

Description

OpenVPN fails the validation on a certificate issued by pfSense as CA.
This is the error returned by OpenVPN on Verbosity = 11

Apr 22 13:57:55     openvpn     17319     192.168.0.59:61823 TLS Error: TLS handshake failed
Apr 22 13:57:55     openvpn     17319     192.168.0.59:61823 TLS Error: TLS object -> incoming plaintext read error
Apr 22 13:57:55     openvpn     17319     192.168.0.59:61823 TLS_ERROR: BIO read tls_read_plaintext error
Apr 22 13:57:55     openvpn     17319     192.168.0.59:61823 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Apr 22 13:57:55     openvpn     17319     192.168.0.59:61823 SSL alert (write): fatal: unknown CA
Apr 22 13:57:55     openvpn     17319     192.168.0.59:61823 VERIFY SCRIPT ERROR: depth=1, CN=pfSense-CA, C=GB, ST=UK, L=London, O=Test Ltd.
Apr 22 13:57:55     openvpn     17319     192.168.0.59:61823 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1
Apr 22 13:57:55     openvpn     17319     192.168.0.59:61823 TLS: executing verify command: /usr/local/sbin/ovpn_auth_verify tls OpenVPNServer 1 1 CN=pfSense-CA, C=GB, ST=UK, L=London, O=Test Ltd.
Apr 22 13:57:55     openvpn     17319     192.168.0.59:61823 VERIFY WARNING: depth=1, unable to get certificate CRL: CN=pfSense-CA, C=GB, ST=UK, L=London, O=Test Ltd.
Apr 22 13:57:55     openvpn     17319     192.168.0.59:61823 VERIFY WARNING: depth=0, unable to get certificate CRL: CN=spike, C=GB, ST=UK, L=London, O=Test Ltd.
Apr 22 13:57:55     openvpn     17319     192.168.0.59:61823 SSL state (accept): TLSv1.3 early data
Apr 22 13:57:55     openvpn     17319     192.168.0.59:61823 Incoming Ciphertext -> TLS

If I run manually
/usr/local/sbin/ovpn_auth_verify tls OpenVPNServer 1 1 CN=pfSense-CA, C=GB, ST=UK, L=London, O=Test Ltd.

on the shell, the exit code is 1.
If I run the same with sh -x I get
sh -x /usr/local/sbin/ovpn_auth_verify tls OpenVPN+server 1 1 CN=pfSense-ca, ST=UK, L=London, O=Test Ltd.
+ [ tls '=' tls ]
+ /usr/bin/seq 1 -1 0
+ eval 'serial=$tls_serial_1'
+ serial=''
+ [ -n '' ]
+ eval 'serial=$tls_serial_0'
+ serial=''
+ [ -n '' ]
+ [ '' '=' OK ]
+ exit 1

I don't know how that eval serial="\$tls_serial_${check_depth}" is evaluated but if I move it right above RESULT=$ and I comment the if statement block, the certificate is validated.

I tried even with a certificate with just CN=pfSense-ca but I get the same issue.
The CA is in pfSense and both the server and the client certificates are generated from it.
I tried to destroy the CA, server and client certificate and OpenVPN server configuration and started from scratch but the problem persists.

Actions
Copy link
 #1

Updated by Jim Pingle about 3 years ago

  • Status changed from New to Not a Bug

I can't reproduce this. TLS certs work fine as-is without any special changes.

This site is not for support or diagnostic discussion.

For assistance in solving problems, please post on the Netgate Forum or the pfSense Subreddit .

See Reporting Issues with pfSense Software for more information.

Actions
Copy link

Also available in: Atom PDF